Enable proxy protocol for Ingress Envoy #561
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/175595206 The labels on this github issue will be updated when the story is started. |
Hi. Can you say why |
Also, have you tried configuring |
Hello mike1808,
After that I tried to curl the app which returns the "x-Forwarded-For-Header". I got:
The problem is that the LoadBalancer tries to speak with EnvoyProxy the proxy protocol which Envoy does not understand as it is disabled per default. If the proxy protocol is enabled on both side, then a single additional tcp packet -containing the real client IP- that is sent during the initial connection set up. If I apply the EnvoyFilter in order to enable the proxy protocol on the Envoy side, I get the real client IP:
We would like to provide the PR in order to enable this feature. Best regards, |
I heard about this PR and wanted to thank the SAP team for contributing! With regard to user experience for enabling this capability in cf-for-k8s, what is the risk of having it enabled all the time, rather than offering a field in |
Hi @shalako, thanks for the feedback. The proxy protocol needs to be enabled on both sides of the communication. The proxy_protocol filter in Envoy expects that the proxy protocol is used, otherwise the tcp connection cannot be established. We also tested it with AWS and GCP loadbalancers. In both cases we got the error:
Therefore we think that it is necessary to make it configurable. See also [1]: "Note: if the filter is enabled, the Proxy Protocol must be present on the connection (either version 1 or version 2), the standard does not allow parsing to determine if it is present or not." |
Thank you for the explanation. That sounds reasonable. |
Is your feature request related to a problem? Please describe.
Some Load Balancers like AWS ELB replace the client IP by their own IP. In that case the feature "X-Forwarded-For" cannot be used because the X-Forwarded-For-Header contains the IP of the Load Balancer. By using Proxy Protocol between LB and Ingress Envoy the client IP will be set in the X-Forwarded-For-Header by Envoy.
Describe the solution you'd like
Apply EnvoyFilter for enabling the proxy protocol on the Envoy side. Make it configurable via values.
Additional context
The enabling of the proxy protocol of the Load Balancer side is not part of this feature request because it is a Load Balancer specific configuration.
The text was updated successfully, but these errors were encountered: